Conversation
Publish ghcr.io/virtuslab/sandcat-mitmproxy (multi-arch: amd64 + arm64), extending the upstream mitmproxy image with the 1Password op CLI. This will be used by the 1Password secrets integration to resolve op:// references at proxy startup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR introduces a pre-built mitmproxy container image that includes the 1Password op CLI, and adds CI automation to build and publish that image to GHCR. This supports upcoming work for 1Password-backed secret resolution (issue #38 / PR #39) by providing a reusable image artifact.
Changes:
- Add
images/mitmproxy/Dockerfileextendingmitmproxy/mitmproxywith the 1PasswordopCLI. - Add a GitHub Actions workflow to build and publish a multi-arch image (
amd64+arm64) to GHCR on pushes tomaster.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
images/mitmproxy/Dockerfile | Builds a mitmproxy-based image and installs the op CLI into /usr/local/bin. |
.github/workflows/build-mitmproxy-image.yml | Builds/publishes the mitmproxy+op image to GHCR with metadata-based tagging. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| && unzip /tmp/op.zip -d /usr/local/bin op \ | ||
| && rm /tmp/op.zip \ |
There was a problem hiding this comment.
The 1Password CLI binary is downloaded and installed without any integrity verification (checksum/signature). This is a supply-chain risk for an image that will be published to GHCR; consider validating the downloaded zip against the official SHA256 (or signature) before unzipping/installing.
| && unzip /tmp/op.zip -d /usr/local/bin op \ | |
| && rm /tmp/op.zip \ | |
| && curl -sSfo /tmp/op.zip.sha256 "https://cache.agilebits.com/dist/1P/op2/pkg/v${OP_CLI_VERSION}/op_linux_${ARCH}_v${OP_CLI_VERSION}.zip.sha256" \ | |
| && (cd /tmp && sha256sum --check op.zip.sha256) \ | |
| && unzip /tmp/op.zip -d /usr/local/bin op \ | |
| && rm /tmp/op.zip /tmp/op.zip.sha256 \ |
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ghcr.io/VirtusLab/sandcat-mitmproxy |
There was a problem hiding this comment.
The PR description/test plan references publishing ghcr.io/virtuslab/sandcat-mitmproxy, but the workflow uses ghcr.io/VirtusLab/sandcat-mitmproxy. Please align the image name/casing so the published image matches the documented pull/run command and avoids any registry/name normalization surprises.
| @@ -0,0 +1,15 @@ | |||
| FROM mitmproxy/mitmproxy:latest | |||
There was a problem hiding this comment.
Using mitmproxy/mitmproxy:latest as the base for a published image makes builds non-deterministic and can cause silent breakage when upstream updates latest. Consider pinning to a specific mitmproxy version tag (or digest) and updating deliberately when needed.
| FROM mitmproxy/mitmproxy:latest | |
| FROM mitmproxy/mitmproxy:10.3.0 |
Summary
images/mitmproxy/Dockerfileextendingmitmproxy/mitmproxy:latestwith the 1PasswordopCLI (multi-arch: amd64 + arm64)ghcr.io/virtuslab/sandcat-mitmproxyon pushes to masterTest plan
ghcr.io/virtuslab/sandcat-mitmproxy:latestis published after mergeop --versionworks inside the published image🤖 Generated with Claude Code